Analysis

  • max time kernel
    120s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:43

General

  • Target

    c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe

  • Size

    2.6MB

  • MD5

    fa99b3f3c6accb7de65c3bac44149590

  • SHA1

    da03a7623eaf2b009f3f7301675852384fdac01b

  • SHA256

    c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299

  • SHA512

    4ba7d1ae73e813e318d0f933a4c49650214dccce07a48b99be220919bcd9d868215d1a370ad769f2aa9941034a66e1a0522162f05c5d1beb1f5824b6f7c7d131

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
    "C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3336
    • C:\IntelprocQU\xoptisys.exe
      C:\IntelprocQU\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3100

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocQU\xoptisys.exe

          Filesize

          2.6MB

          MD5

          6f26e857617b98903d8ed3bf19d17298

          SHA1

          f654e9a15f686d0a406d9f6d94c3f3c3baf13e7a

          SHA256

          0837dd8460a0493948dac7de38e1c1a347552068448d31b4dcf7b867e0e7ea59

          SHA512

          19d1cda7bae8ea5b58974abc6acac4f869c3aa94fc1aa29256ab503a8c291f10adc0ec5d081f1c8040f86f1f4f11dbc9d6a5bdfd3a0cbcd164b5e28b8e73abb3

        • C:\MintT0\dobxec.exe

          Filesize

          2.6MB

          MD5

          8def5ac95380a585c779833edfd24e26

          SHA1

          438fecb34671a603222a25aa100bf5f2e425ba97

          SHA256

          41da38ee5d1348f7448610c7b5fad753578d3ed084abc7771c111e4f62ccb61d

          SHA512

          4fb8f25346c018ddd3e6b7a66c09f6bb2e99d60676eecfdd56c081b8036456f3c9f9e3912d6a7b3b692be24b8b7d42913163bad6eb09b268dd56f92fcf665674

        • C:\MintT0\dobxec.exe

          Filesize

          1.5MB

          MD5

          99f664cef21bf11cfb2444ea4ea591b3

          SHA1

          adedae24e9abf604ec347df9b67caca443742111

          SHA256

          6bdaf4a24d60fda99be9bf1fa552c56fe6615a8d008a7b349db25aa4793cd95a

          SHA512

          39eaa74f5f614299b36da6305f16e145da98f94cc5d9f6242962abdcbfa52f5a1f73e1d105e36c84f55ea6ccb6bebb86cbacc147ad23eb3b0a798ee99cd81ef9

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          8359f7dfbb447609d29bae8ab8981745

          SHA1

          a7a798bd23a3c976c3b61228f0807610a64f447c

          SHA256

          3bc846958271fcb0496898b2c710e818a31630e1fc3bd6de34ae5f212905371a

          SHA512

          1c162f7caee94c8a070beca9bb95b9c2b31f6589350601b9052bfcb9b8029a3c9cee23ab95593d692d5fabbf51786fc59424132da2c83997a2ade55d566fdb31

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          2709673bd08b72f4f47b12b4f3405b8a

          SHA1

          3bf67f7b7fd64fb31ad8fcf4ed23bf4f9da13f9c

          SHA256

          f98e1c2ce745b2a7f645bc4ae033d830897e499af5856a46304bae3978678f52

          SHA512

          b309ddeae2dfb41b70137d3bd6034d2bbd095bd365248009c966b4801e6208557fb82cd3d63a895778a932ba69f717a156ae06143e0e19459c5f3d2b5eb359e9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          3b989ecf26c50a46f4f7623d2624c59b

          SHA1

          d1c5d41a4ad561e0a49c1b4863251dfab850f315

          SHA256

          97349ec3c0400e31f0e03205f45b85f32d063173b083506ff492a4bbe2bc8415

          SHA512

          f3c029f77b99785425b1135a957a0ecbb3419d2adba25c52b9af178d98ffe495c16fb774a30490c8b23d39af039576d7fc654b0d280cf77bc92fe5a779ad19c9